Today while monitoring traffic on my server I noticed that there was 1 IP from UK that is keep accessing my server and generating noticeable amount of traffic. I did a quick IP lookup and netstat to find that the IP was accessing port 80 on my server. I then went to the httpd logs and searched for the IP and wala! it is trying to log into my wordpress site attempt after attempt.
Since I already have fail2ban running on my server I decided to look into using fail2ban to ban lots of failed attempts
looking at my logs I saw many lines like
xxx.xxx.xxx.xxx - - [24/Feb/2016:14:09:44 -0600] "POST /wp-login.php HTTP/1.0" 301 245 "-" "-"
So I created a /etc/fail2ban/filter.d/wordpress.conf
# wordpress auth filter
[INCLUDES]
before = common.conf[Definition]
failregex = ^.* “POST .*wp-login.php HTTP/.*” 200
ignoreregex =
add the conf to jail.conf
[wordpress]
port = http,https
logpath = %(apache_access_log)s
add the rule to jail.local
[wordpress]
enabled = true
filter = wordpress
action = iptables-multiport[name=wordpress, port=”http,https”]
logpath = /var/log/httpd/*access*log
bantime = 86400
maxretry = 5
Now test the rule
# fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/wordpress.conf
once verified restart fail2ban
# systemctl restart fail2ban.service
Verify
# iptables -vnL
its very easy to block other items as well as long as you can find the pattern from the log files.
